dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
941
share rss forum feed


antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
United State
kudos:4
Reviews:
·Time Warner Cable

1 recommendation

Good Passwords Made Easy

»www.osnews.com/story/26544/Good_···ade_Easy

"If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!"
--
Ant @ AQFL.net and AntFarm.ma.cx. Please do not IM/e-mail me for technical support. Use this forum or better, »community.norton.com ! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.


Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
kudos:13

1 recommendation

As simple as that and yet vastly effective

Cudni


DannyZ
Gentoo Fanboy
Premium
join:2003-01-29
Erie, PA

2 recommendations

reply to antdude
Click for full size


Ian
Premium
join:2002-06-18
ON
kudos:3

1 recommendation

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


TheTechGuru

join:2004-03-25
TEXAS
kudos:2
reply to antdude
»www.grc.com/haystack.htm

Nuff said!
--
CompTIA Network+ Certified


DannyZ
Gentoo Fanboy
Premium
join:2003-01-29
Erie, PA
reply to Ian
I use strings of words with different languages mixed in sometimes. I think it's pretty secure.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to antdude
"Never use the same password twice" should be "never use the same password on sensitive sites" IMO. Creating unique passwords for every single site is needlessly annoying.

Someone cracks my account here, for example, sure they could try the same password elsewhere (let's assume for the moment they find the one other place I have the same username) and it'll work--but guess what, it's another meaningless account and what have they gained? Nothing that could help them hack another account. No PII. They try to take that pass and hit my banks, any work stuff, or anything remotely sensitive, they'll be tryin forever.

quote:
He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password.
I don't think I need to elaborate on how stupid this is.
--
Think Outside the Fox.


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to antdude
Sorry, this is what I'm doing my next speech on for my speech class. It is a persuasive speech, by the way.

A password manager is the only way to go. I use the premium version of LastPass with a Yubikey for two factor authentication.

The next best is the just jam on the keyboard and save the results in an encrypted text file. The problem is if the only copy is on a USB drive you're just asking to be locked out of every account that is listed.

The best advise in the article is NEVER USE THE SAME PASSWORD TWICE. The problem is there is no way to remember all of the different passwords, plus user name, for the different sites. With the number of sites that get hacked your user name and password will probably be on one of them in any given year, if you have any real web usage. If you're lucky it will become public. If you're really lucky they salted and hashed the passwords. However, if they got hacked they may have stored your data in plain text and won't make it public they got hacked. Any site you use that password on will be compromised also.

Using a password manager such as LastPass helps protect you from spoofed sites. If the link looks like PayPal, but isn't, LastPass won't be able to fill in your data because the site doesn't match anything in your password list.

A password manager can create and remember large complex passwords for many sites, easily. There are many more benefits, especially with LastPass. Such as one time use passwords, generate one, store it in your safe deposit box. If you die someone will have access to all of your password protected accounts, quickly and easily.

No, I don't make any money from LastPass, but I do think it is a great, and inexpensive product.
--
Want the shirt? - »www.despair.com/thedestructor.html
Not afiliated or making any profit from sales


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to antdude
One observation seems in order here. If a person uses any on-site software password manager, they need to be absolutely certain to keep a written record off-site of any passwords for financial or paid-subscription accounts (as well as anything else they deem truly important). Houses can burn down or flood out - and they generally take down their computers with them. Laptops and PCs can get stolen. Cloud access can become problematic for a variety of reasons or at certain times. In those situations, with a new or borrowed computer, the last thing anyone wants is to find themselves locked out of critical or important accounts just because they can't get at their passwords. Just sayin'...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
I know that LastPass allows you to download your passwords if you want. There is also an "offline" option on the Apple App. However, if your'e accessing an account odds are you have access to the cloud.

LastPass - Where is my data stored on my computer?
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Ian
said by Ian:

That cartoon always annoys me. It's wildly incorrect unless you assume that password crackers always use brute-force. And since they don't, it's a terrible assumption.

Dictionary based attacks WILL assume that you might string one, two, three, four, five..... common english words together to form a pass-phrase. The estimation of the entropy differences here is wildly optimistic. That said, four english words is still a pretty good password.

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

Airtj

join:2001-08-08
Clifton, VA
I too use lastpass but with Google Authenticator.

I recall reading something in this forum on how to create good passwords. Something you can easily remember lets say Nissan for a car you own and the model is lets say 300zx.

You then include the site you are accessing and put them together. That way you can easily remember each password for each site.

So using that example the password here would be:

NissanBroadBand300zx

Gmail would be

NissanGmail300zx

Or something like that, depending on where you place each item and if you capitalize them or not.


Ian
Premium
join:2002-06-18
ON
kudos:3
reply to KodiacZiller
said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

1 recommendation

Rule of Thumb: if you need a NYT article to tell you the rules about passwords, you are already doomed.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


KodiacZiller
Premium
join:2008-09-04
73368
kudos:2
reply to Ian
said by Ian:

said by KodiacZiller:

If the words are chosen perfectly randomly from an English dictionary, then the machine would have to guess from the dictionary randomly. This is the whole idea behind the diceware method.

I'm aware of that. But that wasn't the complexity calculation used by the cartoon author.

Maybe not, but the diceware method is still the best way to create strong passwords that are easy to remember.

For example, let's say that you have a word list of 10,000 English words to choose from. Let's further assume your adversary *knows* that you used this list. Here's the entropy for passwords made with different lengths:

4 words = 53 bits
5 words = 66 bits
6 words = 80 bits
7 words = 93 bits

So you'll need at least 6 words to be sure that the password won't be cracked. 80 bits is plenty strong. The nice thing about this is the adversary can know the wordlist and it doesn't matter as long as your password is long enough and chosen *randomly*.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1
Now if only we could get all websites to accept the long passwords required for such an approach.


Ian
Premium
join:2002-06-18
ON
kudos:3
said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Well, that and the fact that typing in a 6 word password is a little on the cumbersome side.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong


Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to sivran
said by sivran:

Now if only we could get all websites to accept the long passwords required for such an approach.

Amen. There should be no limit on length, other than maybe less than 256. It ticks me off that I can only have a 12 character password on my 401k, as I've moved up to 15 character passwords.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein